Malicious PDF — malware analysis report

Static analysis result for SHA-256 ded9a657ad72113a…

MALICIOUS

PDF

32.0 KB Created: 2020-10-30 00:58:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00495bd86b6b9e4704b8a1a846e7b231 SHA-1: 2a7f46fb465c885fd8b28ffc7764409502b4caf4 SHA-256: ded9a657ad72113aa4d07156c4a906c5032a377ab6522cac2da91401ae569590
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which, https://cctraff.ru/123?keyword=grantor+and+grantee+in+real+estate, is identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to real estate and the malicious URL, suggesting a lure. The presence of numerous external PDF links also indicates a link farm, a common tactic for SEO manipulation and traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=grantor+and+grantee+in+real+estate
    • https://cdn-cms.f-static.net/uploads/4365536/normal_5f8fd2ccd03a5.pdf
    • https://cdn-cms.f-static.net/uploads/4418968/normal_5f993d68786b4.pdf
    • https://cdn-cms.f-static.net/uploads/4379601/normal_5f8d5457b9d44.pdf
    • https://cdn-cms.f-static.net/uploads/4382418/normal_5f9a1dbf22891.pdf
    • https://cdn-cms.f-static.net/uploads/4375886/normal_5f9a04c2aa102.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/83bbc932-8684-47a5-b40d-0956b513bdd7/chant_basque_paroles.pdf
    • https://cdn.shopify.com/s/files/1/0434/6734/1974/files/design_process_worksheet_elementary.pdf
    • https://uploads.strikinglycdn.com/files/d405fd01-49b4-4640-ac30-42199d575be0/dufusu.pdf
    • https://uploads.strikinglycdn.com/files/7f7cfccd-68d2-4ac7-9ef2-084b32bea64a/enlaces_quimicos_ejercicios_resueltos.pdf
    • https://uploads.strikinglycdn.com/files/c3d7407c-0ab5-4383-8950-85b29a9ea544/41175878518.pdf
    • https://uploads.strikinglycdn.com/files/f7707f40-95e7-428e-82fe-dc7d97705989/wexekazudunizasu.pdf
    • https://uploads.strikinglycdn.com/files/b33d753c-03a5-45ad-b1e0-f0cbd651f461/nelujosorir.pdf
    • https://uploads.strikinglycdn.com/files/8ba6ca82-5464-45b3-b93a-1ec86e9cd924/learn_appium.pdf
    • https://cdn.shopify.com/s/files/1/0431/5512/8477/files/why_do_the_oppressed_want_to_become_the_oppressors.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d3d.bin
adb2755a60cad13b733454088641020d1e9664a5dd7646a9fcc2f43c67a3817a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D3D 5024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.